 Florian Roth
|
c93fd80482
|
Merge branch 'master' into rule-devel
|
2022-03-07 15:38:58 +01:00 |
|
|
Florian Roth
|
0d083039ab
|
refactor: new PPLDump imphashes
|
2022-03-07 15:38:53 +01:00 |
|
|
Florian Roth
|
b71417e807
|
refactor: more exact imphash matching
|
2022-03-07 12:03:32 +01:00 |
|
|
frack113
|
5d4035ea05
|
Fix contains
|
2022-03-06 20:50:19 +01:00 |
|
|
frack113
|
4db5798dd0
|
fix error
|
2022-03-06 20:43:34 +01:00 |
|
|
frack113
|
67189b6e51
|
refactor regex
|
2022-03-06 20:40:21 +01:00 |
|
|
frack113
|
793bf99c85
|
refactor regex
|
2022-03-06 20:15:32 +01:00 |
|
|
Florian Roth
|
97744dc9eb
|
Merge pull request #2777 from frack113/regex_clean
refactor: regex
|
2022-03-06 17:54:51 +01:00 |
|
|
Florian Roth
|
1b0c7cc3b9
|
Merge pull request #2776 from frack113/lolbas
Add lolbas rules
|
2022-03-06 17:54:18 +01:00 |
|
|
frack113
|
18bb388574
|
refactor: regex
|
2022-03-06 13:38:47 +01:00 |
|
|
frack113
|
d7b73be2c7
|
Add Missing CurrentDirectory filter
|
2022-03-06 13:22:30 +01:00 |
|
|
frack113
|
cb7a776623
|
Add lolbas rules
|
2022-03-06 12:10:51 +01:00 |
|
|
Florian Roth
|
a30ee0b37d
|
Merge branch 'master' into rule-devel
|
2022-03-05 12:39:13 +01:00 |
|
|
Florian Roth
|
f07e1bb6f1
|
refactor: cobaltstrike beacon imphashes
|
2022-03-05 12:33:06 +01:00 |
|
|
Florian Roth
|
f3518f2521
|
rule: ntdll type redirect
|
2022-03-05 10:39:33 +01:00 |
|
|
Florian Roth
|
ec62ec6bbb
|
fix: values missed escaping
|
2022-03-05 10:39:15 +01:00 |
|
|
Florian Roth
|
9595cef06e
|
Merge pull request #2771 from SigmaHQ/rule-devel
Multiple adjustments in different rules
|
2022-03-05 09:57:12 +01:00 |
|
|
frack113
|
36e471dae6
|
Merge pull request #2767 from d4rk-d4nph3/master
Added rule for Gamaredon UltraVNC Execution
|
2022-03-04 20:59:35 +01:00 |
|
|
Florian Roth
|
8b29c2202c
|
rule: hacktool imphashes
|
2022-03-04 19:44:15 +01:00 |
|
|
Florian Roth
|
b90686251f
|
refactor: imphash adjustments
|
2022-03-04 19:43:58 +01:00 |
|
|
Florian Roth
|
85e2419436
|
fix: duplicate UUID
|
2022-03-04 17:12:31 +01:00 |
|
|
Florian Roth
|
e57b952455
|
Merge branch 'master' into rule-devel
|
2022-03-04 16:34:52 +01:00 |
|
|
Florian Roth
|
05a9a910f4
|
rule: PowerShell Defender base64 MpPreference
|
2022-03-04 16:34:37 +01:00 |
|
|
Florian Roth
|
8012efa9b5
|
refactor: some adjustments
|
2022-03-04 16:34:15 +01:00 |
|
|
phantinuss
|
6c4d0c601b
|
fix: FP with Windows Defender ATP
|
2022-03-04 14:07:29 +01:00 |
|
|
phantinuss
|
4823d7943f
|
fix: exclude hotpotatoes FP
|
2022-03-04 14:07:29 +01:00 |
|
|
phantinuss
|
df48b60cb4
|
fix: FP with Datev SQL Server
|
2022-03-04 14:07:29 +01:00 |
|
|
phantinuss
|
324dca618b
|
fix: filter variant with double quotes
|
2022-03-04 14:07:28 +01:00 |
|
|
Bhabesh
|
d14784510f
|
Added rule for Gamaredon UltraVNC Execution
|
2022-03-04 15:40:33 +05:45 |
|
|
Florian Roth
|
eb06a6fdd1
|
Merge pull request #2764 from SigmaHQ/rule-devel
refactor: PowerShell Defender modifications
|
2022-03-03 23:29:08 +01:00 |
|
|
Florian Roth
|
b3b5b2cbdd
|
refactor: PowerShell Defender modifications
|
2022-03-03 13:53:06 +01:00 |
|
|
frack113
|
0649b5d6ea
|
Add proc_creation_win_fsutil_symlinkevaluation
|
2022-03-03 06:27:36 +01:00 |
|
|
Florian Roth
|
071bcc2923
|
Merge pull request #2761 from SigmaHQ/rule-devel
Minor changes, new PS downloader strings
|
2022-03-02 17:47:11 +01:00 |
|
|
Florian Roth
|
5e76089044
|
refactor: additional strings in powershell downloader rule
|
2022-03-02 11:01:28 +01:00 |
|
|
phantinuss
|
3701bdfdbf
|
new rules: Base64 encoded keywords detected by Raccine
|
2022-03-02 10:37:36 +01:00 |
|
|
phantinuss
|
c2a583a950
|
fix: exclude more Teams Addin variants
|
2022-03-02 10:36:07 +01:00 |
|
|
Florian Roth
|
1435171490
|
docs: minor changes to rules
|
2022-03-01 16:02:22 +01:00 |
|
|
phantinuss
|
81e3c105d2
|
fix: trigger also by selection3
|
2022-02-28 17:50:32 +01:00 |
|
|
phantinuss
|
b1fc8b3641
|
fix: Image casing
|
2022-02-28 17:50:32 +01:00 |
|
|
phantinuss
|
3c5535ae41
|
fix: triggering on legitimate diskpart.exe usage
|
2022-02-28 17:50:30 +01:00 |
|
|
Florian Roth
|
313b4d7ca9
|
rule: PowerShell downloader patterns
|
2022-02-28 14:42:56 +01:00 |
|
|
Florian Roth
|
25b414ea09
|
refactor: separating Outlook.exe from other Office processes
|
2022-02-28 13:12:46 +01:00 |
|
|
frack113
|
7fb8272f94
|
Name Normalization
Name Normalization
|
2022-02-27 10:58:14 +01:00 |
|
|
Florian Roth
|
de197e7897
|
Merge pull request #2747 from frack113/fix_detection
Fix detection
|
2022-02-25 19:04:16 +01:00 |
|
|
Florian Roth
|
5f8b16d147
|
Merge pull request #2748 from SigmaHQ/rule-devel
rules: Hermetic Wiper, BlackByte reports
|
2022-02-25 19:03:59 +01:00 |
|
|
Florian Roth
|
f647e45e69
|
Merge pull request #2749 from redsand/fp_msiexec
Filters false positive from msiexec.exe
|
2022-02-25 19:03:45 +01:00 |
|
|
Tim Shelton
|
6d29b4c4a5
|
oof, misspelled detection type 2
|
2022-02-25 16:34:32 +00:00 |
|
|
Tim Shelton
|
f6caaf795a
|
oof, misspelled detection type
|
2022-02-25 16:32:33 +00:00 |
|
|
Florian Roth
|
744813ff87
|
rule: Hermetic Wiper group activity
|
2022-02-25 17:29:32 +01:00 |
|
|
Florian Roth
|
eec5b1458c
|
docs: wording change
|
2022-02-25 17:29:16 +01:00 |
|